Could not find a script that will enumerate all servers from AD (or specific OU) and give me a centralized CSV output of all the members of the servers local administrators group.
So I wrote one...
The script also enumerate groups members and indicate if the object is a user / computer or group (and then write the group name).
The script also check if the server is reachable and if you can connect via WMI, if nor indicates it in the output.
Console output is available.
Enjoy.
========================================
import-module ActiveDirectory
cls
$array = @()
$test2 = ""
#get local admin function
function get-localadmin {
param ($strcomputer)
$admins = Get-WmiObject win32_groupuser –computer $strcomputer -EV Err -EA SilentlyContinue
$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}
$admins |% {
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul
$matches[1].trim('"') + “\” + $matches[2].trim('"')
}
}
#list all servers to proccess [replace this with your OU structure]
$Comp = Get-ADComputer -SearchBase 'OU=Servers,dc=domain,dc= local' -Filter '*' | Select -Exp Name
#run on each server
foreach ($ADServer in $Comp) {
#Test if the server is responsive
$test = Test-Connection -computername $ADServer -Count 1 -Quiet
Write-Host "`nProccessing " $ADServer "..." -NoNewLine
If ($test -eq "True") {
#run the WMI command and catch errors
Try { $FnLocalAdmins = get-localadmin $ADServer }
Catch {
Write-Host " WMI error`n"
$test2 = "Error"
$Properties = @{Server=$ADServer;Admin="WMI Error";Type="Error"}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject
}
foreach ($Admins in $FnLocalAdmins) {
#split the username form the domain or server
$split = $Admins.Split('\')
$domain = $split[0]
$usr = $split[1]
#Check if the object is local or domain based [Replace this with your domain name]
If ($domain -eq "YOUR_DOMAIN") {
$u = Get-ADObject -Filter {samaccountname -eq $usr} -Properties objectClass
#check if the object is user, computer or group
Switch ($u.objectclass) {
User {
$Properties = @{Server=$ADServer;Admin=$usr; Type="Domain"}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject
; break}
Computer {
$Properties = @{Server=$ADServer;Admin=$usr; Type="Computer"}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject
; break}
Group {
$g = get-adgroupmember $usr -recursive
foreach ($groupuser in $G) {
$Properties = @{Server=$ADServer;Admin=$ groupuser.samaccountname;Type= $usr}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject }
;break}
Default {
$Properties = @{Server=$ADServer;Admin=$usr; Type="Bad Object"}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject
;break}
}
}
Else {
$Properties = @{Server=$ADServer;Admin=$usr; Type="Local"}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject
}
}
#write back to the console that all went ok
If ($test2 -eq "Error") {$test2 = ""} Else {
Write-Host " OK"
$test2 = "" }
}
Else {
Write-Host " Unreachable`n" -NoNewLine
$Properties = @{Server=$ADServer;Admin=" Unreachable";Type="Error"}
$Newobject = New-Object PSObject -Property $Properties
$array += $newobject
}
}
#export the results to a csv file
$array | export-csv -Path "D:\Scripts\Server\Output\ LocalAdmins.csv" -Delimiter ";" -NoTypeInformation -Encoding UTF8
This worked perfectly on my environment. thank you for sharing.
ReplyDelete